<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Search payload transform | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="transform.html" title="Payload transforms">
<link rel="prev" href="transform.html" title="Payload transforms">
<link rel="next" href="transform-script.html" title="Script payload transform">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="xpack-alerting.html">Alerting on cluster and index events</a></span>
»
<span class="breadcrumb-link"><a href="transform.html">Payload transforms</a></span>
»
<span class="breadcrumb-node">Search payload transform</span>
</div>
<div class="navheader">
<span class="prev">
<a href="transform.html">« Payload transforms</a>
</span>
<span class="next">
<a href="transform-script.html">Script payload transform »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="transform-search"></a>Search payload transform<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/transform/search.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>
<p>A <a class="xref" href="transform.html" title="Payload transforms">payload transform</a> that executes a search on the cluster and
replaces the current payload in the watch execution context with the returned
search response. The following snippet shows how a simple search transform can
be defined on the watch level:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "transform" : {
    "search" : {
      "request" : {
        "body" : { "query" : { "match_all" : {} }}
      }
    }
  }
}</pre>
</div>
<p>Like every other search based construct, one can make use of the full search
API supported by Elasticsearch. For example, the following search
payload transform execute a search over all events indices, matching events
with <code class="literal">error</code> priority:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "transform" : {
    "search" : {
      "request" : {
        "indices" : [ "events-*" ],
        "body" : {
          "size" : 0,
          "query" : {
            "match" : { "priority" : "error"}
          }
        }
      }
    }
  }
}</pre>
</div>
<p>The following table lists all available settings for the search
payload transform:</p>
<div class="table">
<a id="transform-search-settings"></a>
<p class="title"><strong>Table 93. Search payload transform settings</strong></p>
<div class="table-contents">
<table border="1" cellpadding="4px" summary="Search payload transform settings">
<colgroup>
<col class="col_1">
<col class="col_2">
<col class="col_3">
<col class="col_4">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Name</th>
<th align="center" valign="top">Required</th>
<th align="left" valign="top">Default</th>
<th align="left" valign="top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><code class="literal">request.search_type</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>query_then_fetch</p></td>
<td align="left" valign="top"><p>The search <a class="xref" href="search-request-body.html#request-body-search-search-type" title="Search Type">type</a>.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>all indices</p></td>
<td align="left" valign="top"><p>One or more indices to search on.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.body</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">match_all</code> query</p></td>
<td align="left" valign="top"><p>The body of the request. The
                                                                                  <a class="xref" href="search-request-body.html" title="Request Body Search">request body</a> follows
                                                                                  the same structure you normally send in the body of
                                                                                  a REST <code class="literal">_search</code> request. The body can be static text
                                                                                  or include <code class="literal">mustache</code> <a class="xref" href="how-watcher-works.html#templates" title="Using templates">templates</a>.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.expand_wildcards</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">open</code></p></td>
<td align="left" valign="top"><p>Determines how to expand indices wildcards. Can be one
                                                                                  of <code class="literal">open</code>, <code class="literal">closed</code>, <code class="literal">none</code> or <code class="literal">all</code>
                                                                                  (see <a class="xref" href="multi-index.html" title="Multiple indices">multi-index support</a>)</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.ignore_unavailable</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">true</code></p></td>
<td align="left" valign="top"><p>A boolean value that determines whether the search
                                                                                  should leniently ignore unavailable indices
                                                                                  (see <a class="xref" href="multi-index.html" title="Multiple indices">multi-index support</a>)</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.indices_options.allow_no_indices</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p><code class="literal">true</code></p></td>
<td align="left" valign="top"><p>A boolean value that determines whether the search
                                                                                  should leniently return no results when no indices
                                                                                  are resolved (see <a class="xref" href="multi-index.html" title="Multiple indices">multi-index support</a>)</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">request.template</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>-</p></td>
<td align="left" valign="top"><p>The body of the search template. See
                                                                                  <a class="xref" href="how-watcher-works.html#templates" title="Using templates">configure templates</a> for more information.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><code class="literal">timeout</code></p></td>
<td align="center" valign="top"><p>no</p></td>
<td align="left" valign="top"><p>30s</p></td>
<td align="left" valign="top"><p>The timeout for waiting for the search api call to
                                                                                  return. If no response is returned within this time,
                                                                                  the search payload transform times out and fails. This setting
                                                                                  overrides the default timeouts.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="transform-search-template"></a>Template support<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/watcher/transform/search.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The search payload transform support mustache <a class="xref" href="how-watcher-works.html#templates" title="Using templates">templates</a>. This
can either be as part of the body definition or alternatively point to an
existing template (either defined in a file or
<a class="xref" href="search-template.html#pre-registered-templates" title="Store a search template">registered</a> as a script in Elasticsearch).</p>
<p>For example, the following snippet shows a search that refers to the scheduled
time of the watch:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "transform" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "size" : 0,
          "query" : {
            "bool" : {
              "must" : {
                "match" : { "priority" : "error"}
              },
              "filter" : [
                {
                  "range" : {
                    "@timestamp" : {
                      "from" : "{{ctx.trigger.scheduled_time}}||-30s",
                      "to" : "{{ctx.trigger.triggered_time}}"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  }
}</pre>
</div>
<p>The model of the template is a union between the provided <code class="literal">template.params</code>
settings and the <a class="xref" href="how-watcher-works.html#watch-execution-context" title="Watch execution context">standard watch execution context model</a>.</p>
<p>The following is an example of using templates that refer to provided parameters:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
  "transform" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "template" : {
          "source" : {
            "size" : 0,
            "query" : {
              "bool" : {
                "must" : {
                  "match" : { "priority" : "{{priority}}"}
                },
                "filter" : [
                  {
                    "range" : {
                      "@timestamp" : {
                        "from" : "{{ctx.trigger.scheduled_time}}||-30s",
                        "to" : "{{ctx.trigger.triggered_time}}"
                      }
                    }
                  }
                ]
              }
            },
            "params" : {
              "priority" : "error"
            }
          }
        }
      }
    }
  }
}</pre>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="transform.html">« Payload transforms</a>
</span>
<span class="next">
<a href="transform-script.html">Script payload transform »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
